Recent Cybersecurity Breach Case Proves Risks Are Rife for Both Retirement Plan Sponsors and Service Providers

The Employee Retirement Income Security Act of 1974 (ERISA) became law before the computer age, so there are no provisions in the Act dealing with cybersecurity. In addition, there is no formal guidance from the IRS or Department of Labor on cybersecurity responsibilities either, leaving it to the courts to determine responsibilities under ERISA when a cybersecurity breach occurs that results in theft from a participant’s account.

This was the case in Leventhal v. MandMarblestone Group LLC, where a plan participant sued his third-party plan administrator and plan custodian after his 401(k) account was drained by cyber criminals.

Claim and Counterclaims

The original suit stemmed from a routine withdrawal request that attorney Jess Leventhal made from his law firm’s 401(k) plan. The firm — Leventhal, Sutton & Gornstein (LSG) — had their plan administered by a third-party administrator, MandMarblestone Group LLC (MMG), and plan custodian, Nationwide Trust.

Leventhal submitted a request via a form required by Nationwide to withdraw $15,000 from his LSG plan. He sent the form to the LSG plan administrator, who forwarded it to MMG via email. Somehow, cyber criminals were able to obtain a copy of Leventhal’s withdrawal request form and used it to send a series of fraudulent emails with withdrawal requests to MMG, requesting additional withdrawals on Leventhal’s 401(k) account but directing the funds to a different bank account. Over several months, the entire account of more than $400,000 was drained without Leventhal’s knowledge.

Leventhal filed suit against MMG and Nationwide Trust, alleging breach of contract, breach of fiduciary duty under ERISA, and negligence. In May 2019, Judge Mitchell Goldberg of the U.S. District Court for the Eastern District of Pennsylvania ruled that MMG and Nationwide were ERISA fiduciaries because they were responsible for distributing plan assets to participants.

The court concluded that MMG and Nationwide failed to act prudently and diligently when they observed the number and nature of the numerous fraudulent withdrawal requests that were being directed to a new bank account and that they did not have the proper policies or procedures in place to safeguard participants.

Finally, the court held that the claims of negligence and breach of contract were preempted by ERISA and allowed only the ERISA breach of fiduciary duty claim to move forward.

Following that decision, MMG and Nationwide filed separate counterclaims. MMG’s claim alleged that LSG is the plan administrator, not MMG, and that LSG’s “own carelessness” in allowing its employees to work remotely and use personal email for official employment duties enabled the cybersecurity breach, making Leventhal and LSG equally liable under ERISA as the named fiduciaries of the LSG plan.

On May 27, 2020, Judge Goldberg ruled that while negligence allegations against other parties does not reduce a fiduciary’s liability, the counterclaims could proceed against LSG and Leventhal for contribution and indemnification between co-fiduciaries.

Currently, circuit courts are split on co-fiduciary contribution. The Second and Seventh Circuits have relied on the principles of traditional trust law to permit co-fiduciaries to assert claims for contribution and indemnity in ERISA actions, while the Eighth and Ninth Circuits have held that there is no right of contribution under ERISA.

Hall Benefits Law’s vision is to provide every client with the peace of mind that comes from the confidence that HBL has addressed all possible compliance vulnerabilities. To learn more, call our team of responsive, experienced ERISA and employment counsel at 678-439-6236.

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)